How Vulnerable Is Industrial Control? You Might Be Surprised

Think your industrial control system is safe? See how many times one test entity got hit and how fast it happened. Maybe you should rethink what you're doing.

Just how secure are US industrial control systems? It seems the answer is a resounding "Not very."

There are several reasons. Joe Weiss, an industrial control system expert, wrote in a recent Control Global blog post that the IT security industry attempts to provide industrial control security by modifying current products, giving rise to the notion that the industry has no concept of the technology it is attempting to secure. He stresses that, before IT vendors implement technology at the real-time control layer, they need to have substantial domain experience -- actual control system experience at the type of industrial facility or environment to which they are selling.

Security is different. It's not a matter of implementing systems that work fine in an office or corporate facility. If the same means are used to see if hardware is running appropriately, the result might be a total shutdown of a controller in an industrial control situation. If you are in charge of implementing such a system, choose someone who has hands-on experience within your industry first and is a technology guru as a close second.

In his research work for a recent Trend Micro whitepaper on critical infrastructure dangers, Kyle Wilhoit created a test connecting two dummy control systems and a real one to the Internet to see if they would be hacked and how long it would take. Want to guess? Eighteen hours.

Here's what was used:

A honeypot architecture emulating several industrial control/SCADA devices that are consistently used

A mix of high- and low-interaction devices that mimicked the setup of a water pressure station in a small town

Honeypots with common vulnerabilities and misconfigurations

Over 28 days, the three devices were attacked 39 times. Thirty-five percent of the attacks came from China, and 19 percent came from the US. Twelve were unique targeted attacks, and 13 were repeat attacks by the same entities over multiple days.

The attacks resulted in modified settings to change water pressure and stop water flow. Some involved sending administrators emails with malicious software attachments that could take over a commonly used controller.

Some of these hackers were bent on specifically attacking and controlling the system, but several had no reason at all for attacking -- the "because it's there" mentality.

Siemens has announced that it will deliver managed services for defense-in-depth control security. Responding to the Stuxnet virus of a few years ago, Siemens has been innovative in the ICS security arena and was the first company to advise users to rely on air gaps. In this strategy, a secure network is physically isolated from insecure networks (again, those where IT reigns), such as the Internet or an insecure LAN. As a result, computers on either side of the gap cannot communicate with one another.

Now Siemens is taking its expertise to the street by creating a managed service with three layers of defense-in-depth support:

Industrial security services

Security management

Products and systems

The service has not been rolled out yet, but it will cover assessment and analysis, implementation, operation, and management. Watching the offerings evolve will be interesting.

Who else is involved? The US Department of Homeland Security has a Control System Security Program with an Industrial Control Systems Joint Working Group to mitigate risk to the country's industrial control systems and to share information. This group concentrates not only on the obvious waterways and pipelines of the country, but also on private asset owners/operators of industrial control systems.

So far, there are six subgroups specifically addressing cybersecurity challenges within this large and complex community.

International Subgroup: This group handles international collaboration and information sharing, incident response, and the challenges involved in sharing sensitive information between governments.

R&D Subgroup: It identifies current and future needs, priorities, and desired areas of research.

Roadmap to Secure Industrial Control Systems: This group maintains a Cross Sector Roadmap to address cyberrisk management within control system environments, and it coordinate the roadmap's use.

Vendor Subgroup: Members of this group identify ways to improve information sharing.

Workforce Development Subgroup: It identifies security curricula and recommends enhanced or new ones. It also evaluates certification programs and works to develop an outreach plan for the workforce.

Standards Subgroup: This group identifies security standards, assesses and evaluates a relevant set of baseline control systems standard requirements, and updates and maintains a catalogue of timely and practical control systems cybersecurity requirements for use by standards development organizations.

I know that, in the interest of the security of your own system, you can't disclose much in the way of information, but please share what steps are necessary from a theoretical point of view, or your experiences in any manner you are free to do so. This is a really critical subject that should be front and center, not on page 30 with the obituaries.

Joe Weiss is 100% correct. Many companies talk about security, but their management team has no idea what is going on or what is required for information security processes to be successful for their product. I worked in the area of information security for many years before moving into higher education where I teach courses in this area. We still have a long way to go before companies understand that security should always be at the top of the list.

The current security paradigms are moving away from most of the defenses being at the gateway to the system, because it leads to targets that are described as "crunchy on the outside but soft on the inside". Based on that many would advise making these controllers more resistant to attack. Unfortunately, they are relatively unsophisticated devices. What needs to happen is the creation of an effective strategy to protect their programming. For example, you could set up a disconnected computer to program them (the "air gap" that was described in the article) and set up strict scanning protocols for both that machine and media used to transfer files to it.

This works as long as the controllers can be effective on disconnected systems. Unfortunately from a security point of view, they are most efficient when feeding their data to a network. This requires very strong network configuration and monitoring, but if it can be separated from the programming interface that might be effective.